DDoS: When Size Matters… Or Not?

Arbor Networks and Radware, probably the two leading vendors focused on DDoS prevention and mitigation, have just published nearly in contemporary (probably not a coincidence) their 2011 reports which analyze, with similar methodologies applied to different stakeholders, one year of DDoS Phenomena occurred during the last year.

These reports are particularly meaningful since they come in a moment in which the waves of DDoS attacks unleashed by the OpMegaUploadas are not completely gone. To all the (too) many information security professionals whose sleep is disturbed by the booms of the Low Orbit Ion Cannons, I suggest to give a look to both documents:

As a matter of fact both reports provide a really interesting overview of this kind of attack which has become the flagship of the hacktivism movements.

From a methodological perspective both reports provide the results of a survey: the one conducted by Arbor Networks consisted of 132 free-form and multiple choice questions, covering a 12-month period from October 2010 through September 2011, whilst the one conducted by Radware consisted of 23 questions concerning the DDoS faced in 2011.

The participants of the Arbor Networks survey included 114 self-classified Tier 1, Tier 2 and other IP network operators from the U.S. and Canada, Latin/South America, EMEA, Africa and Asia, whilst the participants from the Radware survey included 135 organizations with large, medium and small size;ì,

Although the targets of the survey were not completely heterogeneous, and also the analyzed time windows were not exactly the same, I spent some time in comparing the results. In both cases, the message is clear: the DDoS attacks are becoming more and more complex, but the two vendors came to the same conclusion with a substantial difference. Does really size matter?

Hacktvism on the top

In both cases hacktivism ranks at number one among the attack motivations. The 35% of the Arbor Networks participants reported political or ideological attack motivations as the most common, immediately followed by Nihilism/Vandalism (31%). Analogously, the 22% of the Radware participants indicated a political/hacktivism motivation behind the attacks, immediately followed by “Angry Users” (12%). Curiously the 50% of the Radware participants indicated an unknown motivation, against the 19% of the Arbor Networks participants. Although hacktivism ranks undoubtedly at number one, the difference are not surprising: albeit the questions aimed to obtain the same information, they were slightly different: in one case (Arbor Networks) participants were asked to indicate Attack motivations considered common or very common, in the other case (Radware) participants were asked to indicate which motivations from a defined list, they considered behind the DoS /DDoS attacks experienced. Moreover also the different sample of participants may offer a further explanation. Arbor Networks participants are mainly operator, which have more sophisticated equipment to detect and counter attacks, Radware participants are heterogeneous organizations of different sizes, so their response may be “tainted” by emotive considerations or also by a smaller technological culture.

DDoS Attacks are becoming more and more complex assuming the nature of APTs

I was particularly impressed by a statement found in the Radware Report: “The nature of DoS / DDoS attacks has become more of an Advanced Persistent Threat (APT) and, therefore, much more serious.” The report is also more explicit and suggests that, for instance, during a DDoS Attack perpetrated by the Anonymous there is an external ring formed by the volunteers self-made hackers that use LOIC or similar tools (too often without any precautions), and an inner circle formed by skilled hackers who have access to more sophisticated attack methods and tools. The Arbor Networks report substantially agrees with this statement using the term Multi Vector DDoS, emphasizing a shift to Application Layer (Layer 7) DDoS Attacks. In both cases HTTP is the preferred protocol to convey Application Layer DDoS.

Size matters! Or not?

It is interesting to notice the opposite position of the two vendors with regard to the importance of the size for DDoS Attacks. Radware does not consider the size of the attack as the primary factor: the first myth to be debunked is the fact that not necessarily average organizations might experience intense attacks (according to Radware, in the observed period 32% of attacks were less than 10Mbps, while 76% were less than 1Gbps), the second myth to be debunked is the fact that the proper way to measure attacks is by their bytes-per-second (BPS) and packets per-second (PPS) properties. A smaller HTTP connection-based attack can cause more damage with much less traffic than a “traditional” UDP attack.

Arbor Networks has quite a different opinion: his respondents reported a significant increase in the prevalence of flood-based DDoS attacks in the 10 Gbps range. This represents the “mainstreaming” of large flood-based DDoS attacks, and indicates that network operators must be prepared to withstand and mitigate large flood attacks on a routine basis. Moreover, the highest-bandwidth attack observed by respondents during the survey period was a 60 Gbps DNS reflection/amplification attack, which however represents a 40 percent decrease from the previous year in terms of sustained attack size for a single attack.

At the end…

There are few doubts about the fact that DDoS attacks are becoming multi-layered and more and more complex, and even that they are mainly motivated by hacktivism. There are also few doubts about the fact that technology is enough mature to provide a crucial support to mitigate them. In any case, there is a further element to take into consideration that is the human factor: as usual technology is useless if the IT Staff is not prepared to face such a similar attacks, gaining an adequate awareness in terms of procedures and (I would say) culture. As Radware stated “the very public attacks last year raised awareness of DoS / DDoS and made organizations acquire better and more capable mitigation solutions” but maybe is not enough…

I absolutely agree and IMHO a furhter factor to take into consideration (which I forgot to mention) besides the different targets of the survey, is the different focus of the two companies. In particular Arbor Networks is historically focuses on ISPs, and this partially explains why this vendor still considers the “size” of an attack as an important matter. On the other hand Radware positioning is different: the company has always been focused at the application level and this partially explains the greater impact of Layer 7 attacks for the latter. In any case those who are supposed to prevent DDoS attacks must be aware of all the different types of attacks ranging from layer 3 to layer and, last but not least, absolutely yes, everything must be read critically!